How Random is System.Guid.NewGuid()?

I know this may sounds like a pointless question, but hear me out...

I basically want to know if I can trust the GUID to generate a value which will be unique 100% of the time and impossible to predict.

I'm basically rolling my on login system for a website and want to know if the GUID is secure enough for session cookies.

Any background on how the GUID is generated would be much appreciated in evaluating the answers.

Thanks for the links to duplicate questions, however, my question is specific to the .Net framework.

Here's an excellent breakdown by Raymond Chen

No fixed-length value can ever guarantee to be 100% unique (just call it enough times, give or take the universe ending ;-p) - but it can be very, very, very unlikely to duplicate.

I can't speak to the predictability of sequential numbers but it will be unique. I think you'd be better off using a random number generator from System.Security.Cryptography, though. Tie a random number with a monotonically increasing value (time) to generate your unique key and you can be sure that it is unique and not predictable.

The documentation for System.Guid.NewGuid() makes no guarantees for randomness, so while the current implementation is based on a random number generator (it's version 4 of the algorithm, which was devised after privacy concerns arose from version 1 which used the MAC address; other system's like Apple's OS X still use version 1 of the algorithm).

So while you have a very high probabilty of System.Guid.NewGuid() generating a unique value, you can't make any assumptions about its predictability because that's not specified by the documentation.

I dunno about .NET, but the UUID algorithm is defined fairly precisely.

edit: if you look at the appropriate bits (see wikipedia entry), that should explain which version of UUID is being used.

edit 2: a red flag for your use of the word "secure", which tells me you're better off using a well-defined cryptographic method. For example, when generating session IDs on a server, why just not do something simple like apply an MD5 hash to the concatenation of an appropriate subset of the following: {client machine IP address, sequentially incremented counter, fixed secret constant of your choice, output from random number generator of your choice, etc.} ?

Assuming that System.Guid.NewGuid uses CoCreateGuid, it is not random at all. Historically, the algorithm used for creating guids was to incorporate the MAC address from a network adapter, in addition to some other things like the time. I'm not sure if the algorithm has changed. While it certainly is not random, it is guaranteed to be unique.

> I basically want to know if I can trust the GUID to generate a value > which will be unique 100% of the time and impossible to predict. > > I'm basically rolling my on login system for a website and want to > know if the GUID is secure enough for session cookies.

Short answer: not at all. It's important to note that unique and random are completely different. If you had a universal counter (like taking a number at a deli), those numbers are unique, but completely predictable.

As Bochu notes above, Raymond's post here talks about it: https://blogs.msdn.microsoft.com/oldnewthing/20120523-00/?p=7553/

> The GUID generation algorithm was designed for uniqueness. It was not designed for randomness or for unpredictability. Indeed, if you look at an earlier discussion, you can see that so-called Algorithm 1 is non-random and totally predictable. ... Even the Version 4 GUID algorithm (which basically says "set the version to 4 and fill everything else with random or pseudo-random numbers") is not guaranteed to be unpredictable, because the algorithm does not specify the quality of the random number generator.

For secure random numbers, you need a crytographically secure random number generator.

By the way, "rolling my own login system" is a security red flag -- I would be remiss if I didn't point that out.

GUIDs are, by definition, unique in all regards. There were, once upon a time, some GUID0-generation routines that were generating sequential GUIDs, but those were problems in... Win98, I think, and were hotfixed by Microsoft.

You should be able to trust a generated GUID to be unique and never repeated or regenerated.

(EDIT: Having said that, we all understand that a string of alphanumeric characters has a fixed number of permutations, if the string is fixed in length. But in the case of a GUID the number of permutations is economical*.)

(* Dammit, where's that XKCD where the proposes "astronomic" numbers aren't large enough?)